Yes, I know it's not the catchiest blog post title and the answer seems fairly straightforward. I would also like to stress that this is unlikely to happen and we are, in no way, trying to cause panic or fear. However, at Cortex Consulting, we have picked up on rumours that not all software vendors are resting on their laurels during the current global pandemic. I should stress that these are just rumours and we are unable to verify them but I thought it was worthwhile putting some notes together and examining a variety of big-name vendor audit clauses in detail to ensure that no organisation is caught off-guard when they have so much else to focus on at the moment.
As we know from experience, the key moment in any audit request is how you respond to it. Too many organisations still panic when confronted by an audit, usually because they cannot confidently lay claim to understanding their licence consumption for the vendor in question. If you've ever received a formal audit letter, you'll know that most, if not all, vendors will reproduce the contractual clause giving them the right to audit somewhere within the letter. This is done to try and allay any questions from the off about whether the right to audit even exists but it also works in your favour. If you carefully read the clause (and we've reproduced a few excerpts below for analysis) and understand it, the answer to any audit request at a time like this is right in front of you.
Microsoft - "Verification will take place during normal business hours and in a manner that does not interfere unreasonably with Customer's business operations."
The above is from the Microsoft Business and Services Agreement, which is gradually being phased out. If your business with Microsoft is conducted under this agreement, you can simply refuse to comply with the audit because you could reasonably consider that, at a time of global pandemic when most businesses have invoked some form of business continuity plan, a software audit would interfere unreasonably with your business operations. If your contractual vehicle with Microsoft is different, however, it is not quite so straightforward. Neither of the audit clauses in their new Microsoft Customer Agreement (MCA - introduced in Oct 2019) and the Microsoft Product and Services Agreement (MPSA) contain this phrasing. Both of these, though, do contain phrasing along the lines of the customer providing any information or system access "reasonably" requested by Microsoft or a 3rd party during the course of the audit process. You could argue, again, that requesting any system access would be unreasonable when your engineers are probably heavily engaged in keeping your systems running through business continuity. The same goes for any information that would need to be exported from your systems to fulfil the data requests.
Oracle - "Any such audit shall not unreasonably interfere with Your normal business operations."
This is taken from Oracle's current audit clause in the Oracle Master Agreement but also appears in pretty much every legacy agreement where there is an audit right. Per the above comments regarding Microsoft, any audit during a global pandemic could be said to unreasonably interfere with your normal business operations.
IBM - "Such verification will be conducted in a manner that minimizes disruption to Licensee’s business, and may be conducted on Licensee’s premises, during normal business hours."
The audit clause quoted by IBM in their standard software licence review letter is taken from the International Program Licence Agreement (IPLA), under which all IBM software is licensed, and it contains the excerpt quoted above. If you are a Passport Advantage or Passport Advantage Express customer, any distributed software licences can be reviewed under the slightly different audit clause inserted into these agreements. That said, they both still contain the excerpt above. Again, the answer is obvious - any attempt to audit now could be argued to cause disruption to your business.
These are, quite obviously, the major vendors covered. But what about some of the tier 2 vendors who, in some cases at least, depend on audit revenue to help them hit their sales targets?
The point, really, is that the majority of software vendors will have some form of audit clause and contain wording that, if you fully understand it, will allow you to bat away a request that would be deemed unreasonable during the current crisis. If you are approached, this should be your plan:
You will, most likely, find that the vendor will return as soon as they are reasonably able. The key then is to be ready for it. If you would like help with designing an audit defence strategy and process, please feel free to reach out to us via our contact page, via LinkedIn or Twitter.